P
US8200979B2ExpiredUtilityPatentIndex 82

Context-sensitive confidentiality within federated environments

Assignee: NADALIN ANTHONY JPriority: Mar 31, 2004Filed: Feb 27, 2010Granted: Jun 12, 2012
Est. expiryMar 31, 2024(expired)· nominal 20-yr term from priority
Inventors:NADALIN ANTHONY JWESLEY AJAMU A
H04L 63/126H04L 63/0428G06F 21/6209
82
PatentIndex Score
6
Cited by
129
References
20
Claims

Abstract

Techniques are disclosed for achieving context-sensitive confidentiality within a federated environment for which content is aggregated in a distributed Web portal (or similar aggregation framework), ensuring that message portions that should be confidential are confidential to all entities in the federated environment except those entities to which the message portions may properly be divulged. The federation may comprise an arbitrary number of autonomous security domains, and these security domains may have independent trust models and authentication services. Using the disclosed techniques, messages can be routed securely within a cross-domain federation (irrespective of routing paths), thereby ensuring that confidential information is not exposed to unintended third parties and that critical information is not tampered with while in transit between security domains. Preferred embodiments leverage Web services techniques and a number of industry standards.

Claims

exact text as granted — not AI-modified
1. A computer-implemented method of achieving context-sensitive confidentiality within a federated environment, the method comprising:
 determining a network route to be taken by a message to be transmitted in the federated environment, wherein the network route crosses a plurality of security domains in the federated environment; 
 determining, prior to transmitting the message over the network route, a plurality of nodes to be encountered on the determined route; at least one portion of the message that is security-sensitive; and, for each of the nodes and each of the security-sensitive portions, whether the node is entitled to access the security-sensitive portion; 
 selectively protecting, in the message prior to transmitting the message over the network route, each of the at least one security-sensitive portion of the message for each distinct one of the nodes which is entitled to access the security-sensitive portion; 
 creating a message receiver element for each of the selectively-protected at least one portion of the message and each distinct one of the nodes which is entitled to access the selectively-protected portion, the message receiver element identifying the node and providing a node-specific keyword corresponding to the node; and 
 transmitting the message on the determined network route, the message receiver elements enabling each of the nodes to locate and access each security-sensitive portion which the node is entitled to access and preventing the node from accessing any security-sensitive portion which the node is not entitled to access, wherein:
 the transmitted message contains information identifying an authentication authority from a first of the security domains and an identification of a sender of the message and indicates that the identified authentication authority has already authenticated the sender using security credentials thereof; and 
 the information identifying the authentication authority enables each of the plurality of nodes which receives the message in other ones of the security domains to bypass authentication of the sender for the other security domain, upon verifying authenticity of the identified authentication authority and establishing that the identified authentication authority vouches for the message. 
 
 
     
     
       2. The method according to  claim 1 , wherein the selectively protecting further comprises encrypting at least one security-sensitive portion of the message. 
     
     
       3. The method according to  claim 1 , wherein the selectively protecting further comprises computing a digital signature over at least one security-sensitive portion of the message. 
     
     
       4. The method according to  claim 1 , wherein determining the network route further comprises consulting stored policy to determine the network route to be taken for the message. 
     
     
       5. The method according to  claim 1 , wherein determining, for each of the nodes and each of the security-sensitive portions, whether the node is entitled to access the security-sensitive portion further comprises consulting stored policy for each of the nodes to be encountered on the determined route, the stored policy specifying access rights of the nodes. 
     
     
       6. The method according to  claim 1 , wherein determining, for each of the nodes and each of the security-sensitive portions, whether the node is entitled to access the security-sensitive portion further comprises determining a role of the node and determining whether nodes in the determined role are entitled to access the security-sensitive portion. 
     
     
       7. The method according to  claim 6 , wherein determining whether nodes in the determined role are entitled to access the security-sensitive portion comprises consulting stored policy for the determined role, the stored policy specifying access rights of the roles. 
     
     
       8. The method according to  claim 1 , wherein the selectively protecting further comprises encrypting each of the at least one security-sensitive portion of the message for each distinct one of the nodes which is entitled to access the security-sensitive portion, the encrypting enabling the node which is entitled to access the security-sensitive portion to decrypt the selectively-protected portion and preventing other nodes from decrypting the selectively-protected portion. 
     
     
       9. The method according to  claim 1 , wherein the determined route is specified in the transmitted message. 
     
     
       10. The method according to  claim 1 , wherein the identified authentication authority is determined to vouch for the received message if a digital signature computed by the identified authentication authority and transmitted with the message is determined, by the node receiving the message in the one of the other security domains, to be valid. 
     
     
       11. The method according to  claim 1 , wherein the transmitted message contains security credentials of the sender, the security credentials having been authenticated by the identified authentication authority and protected in the transmitted message such that only authorized ones of the nodes receiving the transmitted message in other ones of the security domains can access the protected security credentials. 
     
     
       12. The method according to  claim 11 , wherein the protected security credentials are encrypted using a public key of each of the authorized ones of the nodes receiving the transmitted message, such that each of the authorized ones can decrypt the protected security credentials using a corresponding private key. 
     
     
       13. A system for achieving context-sensitive confidentiality within a federated environment, comprising:
 a computer comprising a processor; and 
 instructions which are executable, using the processor, to implement functions comprising:
 determining a network route to be taken by a message to be transmitted in the federated environment, wherein the network route crosses a plurality of security domains in the federated environment; 
 determining, prior to transmitting the message over the network route, a plurality of nodes to be encountered on the determined route; at least one portion of the message that is security-sensitive; and, for each of the nodes and each of the security-sensitive portions, whether the node is entitled to access the security-sensitive portion; 
 selectively protecting, in the message prior to transmitting the message over the network route, each of the at least one security-sensitive portion of the message for each distinct one of the nodes which is entitled to access the security-sensitive portion; 
 creating a message receiver element for each of the selectively-protected at least one portion of the message and each distinct one of the nodes which is entitled to access the selectively-protected portion, the message receiver element identifying the node and providing a node-specific keyword corresponding to the node; and 
 transmitting the message on the determined network route, the message receiver elements enabling each of the nodes to locate and access each security-sensitive portion which the node is entitled to access and preventing the node from accessing any security-sensitive portion which the node is not entitled to access, wherein:
 the transmitted message contains information identifying an authentication authority from a first of the security domains and an identification of a sender of the message and indicates that the identified authentication authority has already authenticated the sender using security credentials thereof; and 
 the information identifying the authentication authority enables each of the plurality of nodes which receives the message in other ones of the security domains to bypass authentication of the sender for the other security domain, upon verifying authenticity of the identified authentication authority and establishing that the identified authentication authority vouches for the message. 
 
 
 
     
     
       14. The system according to  claim 13 , wherein determining, for each of the nodes and each of the security-sensitive portions, whether the node is entitled to access the security-sensitive portion further comprises consulting stored policy for each of the nodes to be encountered on the determined route, the stored policy specifying access rights of the nodes. 
     
     
       15. The system according to  claim 13 , wherein the selectively protecting further comprises encrypting each of the at least one security-sensitive portion of the message for each distinct one of the nodes which is entitled to access the security-sensitive portion, the encrypting enabling the node which is entitled to access the security-sensitive portion to decrypt the selectively-protected portion and preventing other nodes from decrypting the selectively-protected portion. 
     
     
       16. A computer program product for achieving context-sensitive confidentiality within a federated environment, the computer program product embodied on one or more non-transitory computer-readable storage media and comprising computer-readable program code for:
 determining a network route to be taken by a message to be transmitted in the federated environment, wherein the network route crosses a plurality of security domains in the federated environment; 
 determining, prior to transmitting the message over the network route, a plurality of nodes to be encountered on the determined route; at least one portion of the message that is security-sensitive; and, for each of the nodes and each of the security-sensitive portions, whether the node is entitled to access the security-sensitive portion; 
 selectively protecting, in the message prior to transmitting the message over the network route, each of the at least one security-sensitive portion of the message for each distinct one of the nodes which is entitled to access the security-sensitive portion; 
 creating a message receiver element for each of the selectively-protected at least one portion of the message and each distinct one of the nodes which is entitled to access the selectively-protected portion, the message receiver element identifying the node and providing a node-specific keyword corresponding to the node; and 
 transmitting the message on the determined network route, the message receiver elements enabling each of the nodes to locate and access each security-sensitive portion which the node is entitled to access and preventing the node from accessing any security-sensitive portion which the node is not entitled to access, wherein:
 the transmitted message contains information identifying an authentication authority from a first of the security domains and an identification of a sender of the message and indicates that the identified authentication authority has already authenticated the sender using security credentials thereof; and 
 the information identifying the authentication authority enables each of the plurality of nodes which receives the message in other ones of the security domains to bypass authentication of the sender for the other security domain, upon verifying authenticity of the identified authentication authority and establishing that the identified authentication authority vouches for the message. 
 
 
     
     
       17. The computer program product according to  claim 16 , wherein determining, for each of the nodes and each of the security-sensitive portions, whether the node is entitled to access the security-sensitive portion further comprises consulting stored policy for each of the nodes to be encountered on the determined route, the stored policy specifying access rights of the nodes. 
     
     
       18. The computer program product according to  claim 16 , wherein the selectively protecting further comprises encrypting each of the at least one security-sensitive portion of the message for each distinct one of the nodes which is entitled to access the security-sensitive portion, the encrypting enabling the node which is entitled to access the security-sensitive portion to decrypt the selectively-protected portion and preventing other nodes from decrypting the selectively-protected portion. 
     
     
       19. The computer program product according to  claim 16 , wherein the identified authentication authority is determined to vouch for the received message if a digital signature computed by the identified authentication authority and transmitted with the message is determined, by the node receiving the message in the one of the other security domains, to be valid. 
     
     
       20. The computer program product according to  claim 16 , wherein the transmitted message contains security credentials of the sender, the security credentials having been authenticated by the identified authentication authority and protected in the transmitted message such that only authorized ones of the nodes receiving the transmitted message in other ones of the security domains can access the protected security credentials.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.